Pension Benefit Guaranty Corporation

Office of Inspector General

Audit Report

January 30, 2015 AUDIT-2015-05/PA-13-98

PBGC Compliance with MAP-21 Still a Work in Progress

Pension Benefit Guaranty Corporation Office of Inspector General

1200 K Street, N.W., Washington, D.C. 20005-4026

January 30, 2015 TO: Alice Maroni Acting Director

Christopher Bone Director, Policy Research and Analysis Department

FROM: Rashmi Bartlett Assistant Inspector General for Audit SUBJECT: PBGC Compliance with MAP-21 Still a Work in Progress

(PA-13-98/AUD-2015-05) I am pleased to transmit the final report, PBGC Compliance with MAP-21 Still a Work in Progress. We conducted the audit to review PBGC’s activities and outcomes in response to the FY 2012 MAR, Ensuring the Integrity of Policy Research and Analysis Department’s Actuarial Calculations. We have noted the improvements PRAD has made in its operations and processes such as establishing policies, procedures, and internal controls where none existed previously. PBGC agreed with 7 of the 9 recommendations in this report and noted in their formal response a number of steps it will take to continue to improve the integrity of PRAD’s actuarial calculations. We commend the agency for recognizing that more work is needed and look forward to evaluating its corrective actions to our recommendations.

PBGC disagreed with recommendation 8 that it develop and document a process to communicate formally to the Board instances of delayed compliance or non-compliance with statutorily-required reports. We believe this documentation should include whether there are circumstances under which the agency can elect not to issue statutorily-required reports, the agency official authorized to make such a decision, Board concurrence, and appropriate stakeholder notification including to Congress and the public. PBGC asserts that its current informal and formal communication processes and commitment to open engagement with the Board and Board staff is sufficient. We disagree. We observed in this audit that the agency misperceived itself to be much more open and transparent with its stakeholders than it is in practice. Communication in writing or a mention in a meeting does not necessarily mean that discussions took place, documented decisions were made, or agreements reached. The Board communicated to our office that they were not consulted, nor was there a full discussion of the decision not to re-issue the 2010 report.

PBGC Compliance with MAP-21 Still a Work in Progress Page 2 of 2

Further, it is not effective to resist institutionalizing accountability mechanisms until a control failure or other significant process breakdown occurs and PBGC is forced to make a change. We urge PBGC to reconsider its position and address explicitly situations involving statutorily required reports. That PBGC has already set a precedent in not issuing a required report is concerning, given that it is unclear if either the agency or the Board has the authority to waive the requirement.

PBGC also disagreed with recommendation 9 that PRAD work with WSD and OIT to assess and implement access controls throughout the entire actuarial reporting process. PBGC cited its intent to “survey like organizations to determine best practices.” This response does not address the finding that access controls are missing or inadequate. PRAD should work with IT professionals to develop interim access controls that comply with OMB and NIST requirements while it assesses best practices.

We appreciate the overall cooperation OIG received while performing the audit.

If you have questions, please contact me on extension 4634 or (202) 520-1543.

Attachment

cc: Edgar Bennett Patricia Kelly Cathy Kronopolus Ann Orr Michael Rae Sandy Rich Judith R. Starr

Neela Ranade Martin O. Boehm

AUDIT-2015-05/PA-13-98 i

Executive Summary We conducted a follow-up review to our May 2012 Management Advisory Report (MAR), and determined that the Pension Benefit Guaranty Corporation ("PBGC" or "Corporation") took a number of steps to establish internal controls where few previously existed. We determined that while the Corporation made progress, they did not complete all corrective actions by the deadlines they established and reported to Congress.1 The corrective actions addressed significant weaknesses we identified in the 2012 report. Although PBGC conducted efforts in response to seven of eight "necessary actions", the Corporation completed only two of its corrective actions by the deadline; further work is needed to develop and document procedures specific to the breadth of the Policy, Research and Analysis Department’s (PRAD) business processes (see Appendix B). This occurred because PBGC management did not anticipate the level of effort that would be required for comprehensive corrective action. PBGC set an unrealistic schedule and was unable to achieve its aggressive deadlines, such as those set for the strategic review. In addition, while PBGC developed the timeline and initially executed corrective actions to address significant program weaknesses in PRAD, the department was hampered in its efforts by intermittent gaps in management and insufficient staff levels. The quality of PRAD's actuarial work remains at risk.

NOTE: PBGC recently issued the 2013 Projections Report on June 30, 2014. This audit's focus was to review PBGC's corrective actions with respect to establishing certain internal controls identified in our Management Advisory Report and reported to Congress. These findings and observations do not relate to that report.

PRAD did not take complete or adequate corrective actions in response to the MAR, as follows:

Strategic review of actuarial processes. Though discussed many times with prior leadership, PRAD did not understand the meaning and application of a strategic review. As a result of the MAR, we anticipated a review of business processes would result in a written plan of work. PRAD instead focused on documenting its preparation of one statutorily-required report, and conducted a higher level review of PRAD’s organizational strategies with combined focus on documentation of the report. Voluminous amounts of supporting documentation were recorded into several binders, and PRAD conducted documentation walk-throughs for the creation of the Exposure Report.2 PRAD did not perform a strategic review of its process for creating all actuarial reports from start to finish. Because the review did not include all actuarial work 1 As a result of the MAR, Congress included provisions in the Moving Ahead for Progress in the 21st Century Act (P.L. 112-141), also known as MAP-21, which strengthened our recommended necessary actions. Section 40233(c) of MAP-21 required PBGC to submit to Congress a timetable to address all outstanding OIG recommendations related to PRAD.

2 Beginning in 2014, PBGC renamed the Exposure Report to the Projections Report.

AUDIT-2015-05/PA-13-98 ii

products, PBGC does not have assurance that internal control points have been identified for PRAD’s full realm of actuarial work. This shortcoming proved significant, as the strategic review was a predicate to other MAR necessary actions and coinciding MAP-21 requirements; resulting in an insufficient records management review and an incomplete quality assurance manual.

Quality Assurance Procedures Manual. PRAD developed its first ever Quality Assurance Procedures Manual (hereafter “QAP Manual” or “Manual”) to provide guidance on work process steps, documentation, and quality review. This was an important first step, which must continue to evolve. The QAP Manual should establish standard procedures for all of PRAD's actuarial work, which would in turn allow for criteria against which PRAD can perform adequate quality review. The Manual was limited to the Exposure Report. Although production of the Exposure Report consumes months of PRAD’s time, the Manual lacked adequate coverage of ad hoc inquiries and other statutorily-required reports that constitute the majority of PRAD's actuarial work products. As a result, the Manual was incomplete.

Records management review. PBGC stated that it completed a records management review by its deadline. PBGC records management professionals conducted a records management review of PRAD and developed a comprehensive draft report with considerable findings and proposed recommendations. However, the draft was substantially changed after preliminary review, resulting in a final report with diminished value. Significant findings and recommendations were removed. PBGC has since taken action to address the discarded findings. The records inventory in process throughout field work is now complete. Development of PRAD’s records management procedures was still in progress. PRAD expects to conduct additional work with its file plan.

Reissuance of Corrected Exposure Report. Though PBGC provided documentation of its review and correction of the FY 2010 Exposure Report, the Corporation never reissued the corrected report, as it committed to do. PBGC management concluded that given the passage of time, they saw no benefit in issuing outdated projections; PBGC did not reissue the FY 2010 Exposure Report and elected not to issue the FY 2011 Exposure Report.

Information technology security. PRAD did not properly assess and implement access controls over its actuarial information. PRAD responded and took corrective action as a result of our inquiries. Access controls on PRAD’s shared drive were reported as implemented in 2014; however, those controls were limited to the records folder. PBGC did not assess access controls in other critical areas where PRAD staff and contractors created the records and developed report documentation. PRAD anticipated an alternate records management solution. When PRAD fully reviews its process of actuarial reporting from beginning to end, it should assess the types of access controls needed and identify in its records management procedures all locations that house actuarial documentation. Until PRAD evaluates, implements, and enforces access controls

AUDIT-2015-05/PA-13-98 iii

that incorporate the entire process of actuarial reporting, the integrity and availability of actuarial information is at risk of being compromised.

Recommendation Summary

We provided 9 recommendations addressing issues identified during our audit. Of the recommendations, the most significant is the need for PRAD officials to conduct a comprehensive strategic review of its business processes associated with all actuarial work products. This review is essential so that all critical, relevant business process streams are identified and then controls can be established, institutionalized and continuously monitored to achieve consistent quality work.

PBGC Response and OIG Evaluation

In a written response, which is included in Appendix C, PBGC provided its planned corrective actions which are generally responsive to 7 of our 9 recommendations.

For recommendation 1: PBGC states that it conducted a strategic review of PRAD’s processes for creating, reviewing and documenting actuarial work products, citing many activities and changes it undertook. OIG noted these in our report. PBGC also states that “the next iteration of the Quality Assurance Procedures (QAP) manual will focus on overall processes and overarching procedures,” including ad hoc work, thus concurring that the strategic review PBGC cites was not comprehensive. The additional work PBGC cites in response to this recommendation and others appears to be the comprehensive strategic review OIG recommends.

For recommendation 8: PBGC disagreed with this recommendation to develop and document a process to communicate formally to the Board of Directors instances of delayed compliance or non-compliance with statutorily-required reports. Therefore, this recommendation is unresolved.

For recommendation 9: PBGC disagreed with our recommendation that PRAD work with WSD and OIT to assess and implement access controls throughout the entire actuarial reporting process. PBGC cited its intent to “survey like organizations to determine best practices.” This response does not address the finding that access controls are missing or inadequate. PRAD should work with IT professionals to develop interim access controls that comply with federal requirements while it assesses best practices. Therefore, this recommendation is unresolved.

AUDIT-2015-05/PA-13-98 iv

Table of Contents Executive Summary ......................................................................................................................... i

Table of Contents ........................................................................................................................... iv

Audit Results ................................................................................................................................... 4

Finding 1: PBGC did not perform a comprehensive Strategic Review to identify and document procedures for creating all actuarial work products. ....................................................................... 4

Recommendation 1 (OIG Control Number PRAD-2): ............................................................ 7

Finding 2: PRAD's QAP Manual is incomplete and lacks procedural elements tying together detailed steps and standard documentation for all actuarial work products. ......................... 8

Recommendation 2 (OIG Control Number PRAD-3): .......................................................... 14

Recommendation 3 (OIG Control Number PRAD-4): .......................................................... 15

Recommendation 4 (OIG Control Number PRAD-5): .......................................................... 15

Finding 3: PBGC's records management actions were incomplete. ............................................ 16

Recommendation 5 (OIG Control Number PRAD-6): .......................................................... 20

Recommendation 6 (OIG Control Number PRAD-7): .......................................................... 21

Recommendation 7 (OIG Control Number WSD-1): ............................................................ 21

Finding 4: PBGC did not reissue the corrected FY 2010 Exposure Report. ............................... 22

Recommendation 8 (OIG Control Number PBGC-21): ........................................................ 24

Finding 5: Proper access controls were not instituted for PRAD’s actuarial information. .......... 25

Recommendation 9 (OIG Control Number PRAD-8): .......................................................... 28

Appendix A. Scope and Methodology ......................................................................................... 29

Appendix B. Status of MAR Necessary Actions ......................................................................... 31

Appendix C. Response from the Pension Benefit Guaranty Corporation ................................... 37

AUD-2015-05/PA-13-98 1

Background and Objectives Background

PBGC is a federal government corporation established under Title IV of the Employee Retirement Income Security Act of 1974 (ERISA), as amended, 29 USC § § 1301-1461 (ERISA sections 4001-4402). 3 PBGC’s mission is to encourage the continuation and maintenance of private-sector defined benefit pension plans, provide timely and uninterrupted payment of pension benefits, and keep the insurance premiums at a minimum.4 PBGC protects the pensions of approximately 43 million workers and retirees in more than 25 thousand private defined benefit pension plans. These pension plans ensure a specified monthly retirement benefit, usually based on salary or a stated dollar amount and years of service.5

The Policy, Research and Analysis Department (PRAD) develops policy for PBGC's insurance programs and conducts important research and modeling, which serve as the basis for many of PBGC’s financial forecasts. PBGC’s financial projections are an important part of PRAD’s work. Policy activity encompasses legislative and regulatory analysis and proposal development related to benefit guarantees, employer liability, and premiums. Research addresses actuarial and financial issues to support policy development and involves modeling for forecasting purposes.

The Pension Insurance Modeling System (PIMS) serves as PRAD's principal computer system for modeling activities. According to PBGC, PIMS is a stochastic, or randomly determined, simulation model, designed to quantify the risk facing PBGC's insurance programs. PIMS produces thousands of projections and generates a range of possible outcomes and the likelihood of the scenarios for pension plans and for PBGC.

3 As a federal agency, PBGC is bound by The Federal Records Act, National Archives Records Administration (NARA) statutes, Office of Management and Budget (OMB) Information Quality Guidelines, OMB Memorandum-12-18, OMB Circulars A-123 and A-130, Appendix III, Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. Examples of PBGC requirements included the Records Management Interim Guidance, the Records Management Program Procedures Manual, and the Records Management Action Plan. PBGC Information Quality Guidelines are intended to improve the internal management of PBGC. 4 ERISA Section 4002(a)(2); 29U.S.C. § 1302(a)(2) 5 ERISA Section 4022(b); 29 U.S.C. § 1322b

AUD-2015-05/PA-13-98 2

The Corporation relies upon PIMS to respond to many specific inquiries posed by both Congress and the Executive branch. PIMS reports6 provide influential information for stakeholders, which include PBGC senior management, PBGC’s Board, the Executive and Legislative branch staff, Congressional Budget Office, Joint Committee on Taxation, Office of Management and Budget (OMB), Department of Labor (DOL), Government Accountability Office (GAO), private sector employee benefit organizations, and the general public. Stakeholders use the information generated by PIMS when making decisions about laws and policy that impact millions of pensioners.

PRAD relies heavily on actuaries. The Corporation itself reports it is the second highest employer of credentialed actuaries within the federal government; employing approximately 25% of the total working as civil servants.

The Management Advisory Report (MAR). On May 21, 2012, we issued the MAR, Ensuring the Integrity of Policy Research and Analysis Department's Actuarial Calculations (OIG MAR-2012-10/PA-12-87).7 That report informed PBGC management of a serious internal control issue, which arose as a result of a whistleblower complaint received through the OIG Hotline. The review confirmed the complainant's assertion that the Present Value of Financial Assistance Payments for multiemployer plans, as reported in PBGC's FY 2010 Annual Exposure Report issued November 10, 2011, was unrealistically low. Based on a review of available documentation, interviews with key PBGC officials, and analysis, we concluded that PBGC had issued the report with errors and inconsistencies in both the multiemployer and single-employer sections. This occurred because PBGC had not established a quality control or quality review process to ensure the integrity of reported actuarial estimates. Early in our review, PRAD’s prior Director acknowledged the errors and explained that his department did not have policies in place for quality control.

OIG’s MAR contained eight "necessary actions" to correct identified weaknesses, including that PBGC thoroughly review, correct errors and inconsistencies, and then reissue its FY 2010 Exposure Report. To address the procedural and quality control issues, we stated that PBGC should develop, document and enforce policies and procedures to

• ensure adequate review of contractor work performed with PIMS, • review actuarial work reported by PBGC, and • retain supporting documentation of PRAD actuarial work.

The Corporation needed to conduct a records management review, and a strategic review of all actuarial processes to identify key controls. The MAR resulted in Congress including provisions 6 An important product is the Exposure Report (now renamed the Projections Report), which provides an actuarial evaluation of PBGC’s future expected operations and financial status. This report contains estimates and projections for both the single-employer and multiemployer programs.

7 http://oig.pbgc.gov/summaries/PA-12-87.html

AUD-2015-05/PA-13-98 3

in the Moving Ahead for Progress in the 21st Century Act (P.L. 112-141), also known as MAP-21, which strengthened our recommended necessary actions. Section 40233(c) of MAP-21 required PBGC to submit to Congress a timetable for addressing all outstanding OIG recommendations related to PRAD.8

PBGC agreed with all OIG necessary actions in the MAR and provided Congress with a listing of corrective actions and associated timetable to complete all of the scheduled items by a self-imposed deadline of June 30, 2013. PBGC promised Congress it would develop written quality review policies and procedures for all actuarial work, and conduct a records management review to determine which records should be retained as federal records. (See Appendix B)

Objectives

Our audit objectives included: 1) an assessment of PBGC’s corrective actions taken in response to the MAR and reported to Congress, and 2) an evaluation of how PBGC captures, maintains, and disposes of federal records associated with the Policy Research and Analysis Department's (PRAD) business process for actuarial reporting.

8 Section 40233 (c) Report Relating to OIG Recommendations - Not later than 2 months after the date of enactment of this Act, the Pension Benefit Guaranty Corporation shall submit to Congress a report, approved by the board of directors of the Corporation, setting forth a timetable for addressing the outstanding recommendations of the Office of the Inspector General relating to the Policy, Research, and Analysis Department and the Benefits Administration and Payment Department.

AUD-2015-05/PA-13-98 4

Audit Results

Finding 1: PBGC did not perform a comprehensive Strategic Review to identify and document procedures for creating all actuarial work products.

MAR necessary action eight stated: “Consistent with information quality guidelines for federal agencies and PBGC policy, develop and document a strategic review of the processes involved in creating actuarial work products from start to finish, so that critical controls points, including input and output, could be established in order to increase control quality.” Though PRAD officials took steps to review and document portions of their business process, they did not perform a review of all actuarial work products from start to finish. Rather, they focused on documenting their process to prepare the Exposure Report only. We attributed this to PRAD officials not understanding the meaning and application of a strategic review - to identify all business processes and prepare a written plan of work. As a result, PRAD officials did not examine all internal control points for actuarial work products, their QAP Manual was of limited use, and they had no assurance that they identified all key records; conditions in the MAR were only partially addressed.

In its congressional response, PBGC committed to “perform a review of the process involved in creating actuarial reports and document those processes. The documentation will include procedures to be used in the creation of the actuarial reports from start to finish, including the creation and storage of records" showing:

• sources of inputs and the review of those sources and their use,

• outputs from computer simulations and their review,

• work products performing analyses for the reports,

• tracking of results published in reports showing the inputs and process leading to the result.

The Corporation also stated: “The documentation of the above will include standard procedures to be followed for periodic (annual, quarterly, etc.) and for ad hoc reports.”

PRAD did not undertake a strategic review of their business process for creating all actuarial work products from start to finish. In April 2013, PRAD officials told us they struggled with the definition of a strategic review and would provide a plan at a later date. PRAD repeatedly promised a plan and the results of its work were forthcoming. At one point, PRAD stated a strategic review was ongoing and would extend well beyond their reported deadline of June 30, 2013. However, on August 9, 2013 – well past the established deadline – PRAD officials told us

AUD-2015-05/PA-13-98 5

no further work was planned on the strategic review other than a response to the National Bureau of Economic Research (NBER) and Social Security Administration (SSA) recommendations from the first annual PIMS review required by MAP-21.9 PBGC formally responded to our office with the following statement:

PBGC has implemented all of the MAR8 planned corrective actions that were enumerated in our Memorandum to the IG, dated July 27, 2012, and no further action with respect to MAR8 is necessary.

PRAD intended for the Exposure Report review binders and QAP Manual to serve as evidence of the strategic review. We determined that a comprehensive strategic review did not occur. The resulting Manual did not comprehensively cover all modeling and actuarial work performed by PRAD; procedures were incomplete. Though we received reports that walk-throughs were performed to help identify and document PRAD's procedures, we determined that other than an initial demonstration of PIMS, these walk-throughs consisted primarily of providing documentation to those developing the Manual; staff and contractors were not observed performing the steps involved in producing actuarial work products, which would have been a true walk-through of processes and procedures. Our recommendations, reinforced by MAP-21 legislation, intended for PRAD's strategic review to encompass all modeling and actuarial work performed.

PRAD's QAP Manual and voluminous review binders focused on the creation and review of the Exposure Reports, with virtually no coverage of ad hoc requests and other statutorily-required reports that include actuarial analysis, such as the Quinquennial report, Effects of PPA Report, and Section 4010 Report. Additionally, most of the procedures in the Manual – including those for the Exposure Report – were policy-oriented, higher level overviews rather than specific procedures for PRAD staff to follow backed by oversight steps for management. For example, PRAD’s “weighting” 10 procedure did not include checklists or detailed steps of work performed (See page 17). PRAD staff explained that they lacked procedures for ad hoc requests in the Manual because the most recent Exposure Report was to serve as the baseline for every other request. Although the processes for ad hoc requests may be similar, PRAD staff must still

9 On July 6, 2012, the President signed into law The Moving Ahead for Progress in the 21st Century Act (MAP-21) Pub. L. No. 112-141, 125 Stat. 405 (2012). The legislation was enacted primarily to authorize funds for highways, highway safety programs, transit programs, but included other directions, including quality control procedures for PBGC. http://www.gpo.gov/fdsys/pkg/PLAW-112publ141/pdf/PLAW-112publ141.pdf

10 The weighting process for single-employer sponsors creates a representation of the universe of all single-employer plans covered by PBGC’s insurance program from the sample of the universe modeled in PIMS. Multiemployer plans are weighted so that the value approximates the liabilities and underfunding in the universe of multiemployer plans.

AUD-2015-05/PA-13-98 6

perform additional work to modify future assumptions for ad hoc requests. Considering the large volume of ad hoc requests, this left a significant amount of work undocumented.11

PRAD did not perform a comprehensive strategic review that identified

• business processes; • critical control points for review; and • the full universe of actuarial work products and related records.

Similar conclusions were reached in OIG’s November 2013 Report on Internal Controls Related to the Pension Benefit Guaranty Corporation’s Fiscal Year 2013 and 2012 Financial Statements Audit (Internal Controls Report), which also noted PRAD’s lack of adequate documentation of business processes and procedures to ensure that spreadsheet calculations and other activities could be repeated by unassociated officials.

The Standards for Internal Control in the Federal Government define internal controls as an integral component of an organization’s management to provide reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Internal controls, all transactions, and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals, and may be in paper or electronic form.

Following up with the then-PBGC Director, he stated that he personally conducted what he characterized as a strategic review for the Corporation. He noted that as the Director, he is in charge of strategy, and that “PRAD needed a strategy.” The former Director did not document his strategic review, but said it included rethinking of the process and procedures, personnel, changes including hiring, more reliable systems (he suggested the peer review that led to the Buck review)12 and a budget to implement these changes. We commend him for recognizing that additional steps were needed and stating that more work was still planned.

To the agency’s benefit, the former PBGC Director focused his attention on PRAD to evoke some important changes. However, the strategic review we suggested was intended to be more comprehensive and focus also on the variety of work PRAD is called upon to produce. Our

11 Similar conclusions were reached in the PIMS Architectural Analysis, dated September 12, 2013, which reported a high number of ad hoc requests which fall outside of standard procedures.

12 Buck Consultants performed an independent peer review with respect to its ME pension insurance modeling system (ME-PIMS), the review included; an evaluation of the soundness of the economic and statistical theory and actuarial principles that underline ME-PIMS; assessment of the accuracy, completeness, and consistency of input data, the performance data integrity checks, a review of underlying processes used to obtain the data, and a review of critical assumptions (e.g., parameter calibration, to confirm consistency with the observable market.); review of critical actuarial and statistical calculations; review of key assumptions used in ME PIMS, among others. Report dated August 13, 2012.

AUD-2015-05/PA-13-98 7

office consistently communicated our concerns during field work. In an email to the former Director, a PRAD official stated that PRAD leaders expected OIG would report the quality assurance manual should be more detailed on things like contractor oversight, on the steps involved in exposure report production, on the process for ad hoc policy items, etc.

In undertaking corrective action, the Corporation executed an unrealistic self-imposed timeframe and did not complete the most important first step, a strategic review that would be the foundation for remediation efforts. Instead, PRAD officials focused on identifying the breadth of supporting documentation for the Exposure Reports – a necessary step that consumed most of their efforts. Until PRAD executes a thorough review to fully document its breadth of actuarial work products from start to finish, its QAP Manual will be of limited use, internal controls over staff and contractor work will be inadequate, and its records management program will lack proper identification of all federal records; conditions in the MAR will remain partially addressed.

Recommendation 1 (OIG Control Number PRAD-2): Conduct a strategic review of PRAD's business process, observing and documenting work for all actuarial work products developed by PRAD staff and contractors. PRAD should use the results of the review as a foundation for the QAP Manual, identifying critical control points, which can be used by management to ensure procedures which promote standard application of work and effective quality review, and which ensure identification of all federal records.

PBGC Response:

PBGC conducted a strategic review of PRAD’s processes for creating, reviewing, and documenting actuarial work products. This included a rethinking of PRAD’s work process, procedures and personnel, which led to additional hires, a peer review of the Pension Insurance Modeling System by Buck Consultants, and increases in budget. As part of that review, PRAD also addressed its quality assurance procedures and, as a result, began implementing a formal review process for its work products. The review process requires, among other things, a second person to review the numerical results, the qualitative results, and the presentation. PRAD also created specific documentation as to its processes and procedures for producing specific reports and work products.

To further delineate what is necessary and expected of the Department and its employees, PRAD’s Mission and Functions Statement is being redrafted to provide greater detail. PBGC also formulated a draft reorganization plan for PRAD whereby PRAD will be separated into at least two divisions (by function) to provide (among other things) multi-level supervision of the work performed.

Moving forward, PBGC will benchmark PRAD’s operations and procedures against similar agencies/entities to ensure that PRAD’s work processes remain current and state-of-the-art.

AUD-2015-05/PA-13-98 8

PBGC will specifically focus on how other entities manage their reports, analyses, and responses to technical requests.

PRAD will also continue to make improvements in its processes and in the Quality Assurance Procedures for Formal PRAD Reports Utilizing the Pension Insurance Modeling System (PIMS) Manual (the QAP Manual). For example, as noted below, the QAP Manual will be revised to expand its scope beyond reports using PIMS to include other PRAD work products, and to improve its content. The next iteration of the QAP manual will focus on overall processes and overarching principles, and will apply them to specific products (see Recommendation 2 below). The QAP will also focus on documenting controls used to assure and manage the quality of employee and contractor work products and identifying and maintaining appropriate records.

PBGC expects to complete the benchmarking process by December 31, 2015.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation. While PBGC may find benchmarking useful, we encourage the agency to focus its efforts on implementing the framework for internal control written specifically for the Federal government, GAO’s Standards for Internal Control in the Federal Government (aka The Green Book).

Finding 2: PRAD's QAP Manual is incomplete and lacks procedural elements tying together detailed steps and standard documentation for all actuarial work products.

Because of the incomplete strategic review, PRAD officials did not prepare a detailed enough Manual to guide federal and contractor staff in their work, ensuring consistent and well-documented work and establishing criteria for effective management oversight. For example, the Manual did not address:

• adequate oversight and efficient review of contractor work performed with PIMS; • adequate oversight and efficient review of actuarial work reported by PBGC, whether in

an issued report or in response to ad hoc inquiries; and • procedures to retain supporting documentation of work done by PRAD actuaries and of

all accepted actuarial contractor deliverables.

PRAD officials did not ensure the Manual was complete and did not document their actuarial process to ensure consistent application of work. Additionally, officials need to further develop the Manual to address how PRAD staff will review the bulk of work performed by contractors, such as those charged with providing the electronic databases needed for PIMS runs. Without

AUD-2015-05/PA-13-98 9

formalizing documentation requirements within standardized steps, PRAD officials will lack prescribed criteria against which to conduct quality reviews. In addition, they will not be able to verify the completeness and accuracy of actuarial products if there are no procedures and processes in place so that staff can reproduce work. We attributed these conditions largely to the missed opportunity to perform a comprehensive strategic review, and to intermittent gaps in management and insufficient staff levels. As a result, PRAD officials will obtain limited usefulness from the Manual, and the quality of PRAD's work is still at risk.

The federal government’s overarching internal control guidance, OMB Circular A-123 states that, while procedures necessary to ensure effective internal control may vary from agency to agency, management should have a clear, organized strategy with well-defined documentation processes that contain an audit trail, verifiable results, and specify document retention periods so that someone not connected with the procedures can understand the assessment process.

Aligned with the MAR, MAP-21 legislation required PRAD to “develop written quality review policies and procedures for all modeling and actuarial work performed by PRAD.” In response to MAR necessary actions 4-6, PBGC reported to OIG:

• “PRAD will develop, document, and enforce policies and procedures to ensure the adequate and efficient review of contractor work performed with PIMS, including: enumeration of duties and the associated responsible parties (listed by position and by the named person currently responsible) for accuracy, and where applicable, separately for integrity of critical reports.”

• PRAD “will develop, document, and enumerate full enforcement procedures for a quality review of actuarial work reported by PBGC. Assignments for duties; and responsibilities will be listed by position, and by the name of the person currently in that position or responsible for each policy or procedure. The policies and procedures will detail the specific review mechanisms that will ensure appropriate review of outgoing reports as well as documentation requirements.”

• “… PRAD will implement a more formal and comprehensive documentation process, including review, signoffs, and proper storage and retrieval of a Quality Assurance Record that reflects best practices in actuarial consulting firms. PRAD will also develop and document additional policies and procedures to retain supporting documentation of work done by PRAD actuaries and of all accepted actuarial contractor deliverables. These additional policies and procedures will include enforcement mechanisms to assure that policies and procedures are followed.”

To fulfill MAR necessary actions 4 to 6, PRAD developed the QAP Manual. The introduction stated the Manual set forth the policies and procedures of certain reports that rely on the use of PIMS. The Manual also asserted that the procedures were applicable to PRAD actuarial reports that required an accompanying statement of actuarial opinion and were sent to Congress, and available to the public (e.g. Exposure Report). PRAD management stated that the QAP Manual

AUD-2015-05/PA-13-98 10

was also meant to serve as response to the MAP-21 legislation requirement to develop written quality review policies and procedures for all modeling and actuarial work performed by PRAD.

Although PRAD officials distributed the “final” QAP Manual to staff by their promised date of June 30, 2013, it should not consider this full corrective action. The Manual was incomplete and consisted of overviews, purposes, and policy, rather than fully defined processes with a series of progressive and interdependent steps, which would allow for consistent repetition of the process and standard documentation. That was the level of detail PBGC stated it would create. The Manual still placed great reliance on ensuring the supporting documentation was properly transcribed, or "dotted" which did not involve any verification of accuracy.13 The Manual primarily focused on the identification and organization of input and output documentation for the Exposure Report. Additionally, the Manual did not include adequate records management practices.

We would expect PRAD's QAP Manual to contain comprehensive control procedures including:

• detailed procedures for all actuarial work products and PRAD's method of review;

• the realm of contractor performed duties and required methods for PRAD staff to review that work;

• proper identification of input and output documentation for all actuarial work products;

• final signoffs reflecting management approval that actuarial work was completed according to federal standards, such as the Records Management Act, and PRAD's own QAP Manual;

• adequate enforcement methods ensuring staff used the Manual;

• methods for escalating issues identified; and

• appropriate checklists of control points identified in PRAD's process for creating its modeling and actuarial work products.

Improvements Needed in the QAP Manual

Procedures need definition. While PRAD's QAP Manual was undergoing development, a disconnect occurred between the documentation of PRAD's procedures and its resulting QAP Manual. When reviewing the FY 2012 and corrected FY 2010 Exposure Reports in the last quarter of 2012, PRAD was simultaneously developing its QAP Manual and conducting a records management review. PRAD's strategy was to identify and retain supporting documentation for the Exposure Reports, create a File Plan and simultaneously document procedures performed in its process for creating actuarial reports. However, the primary focus of

13 Dotting serves as transcriptional review only; whereby PRAD verifies that numbers have been transcribed accurately as they are copied from place to place. Dotting does not involve any verification of the accuracy of PRAD’s calculations or statements.

AUD-2015-05/PA-13-98 11

this process became identifying the voluminous amount of input and output documentation used in the creation of the Exposure Reports only – a documentation effort that resulted in many binders and a Manual that proved to be of limited use.

PRAD’s approach was to record the procedures for the creation of the Exposure Reports in Memos to File (MTF)14 and include them in the binders. During this time, the Contract and Controls Review Department (CCRD) assisted PRAD in creating a three page MTF to describe the weighting process. However, the MTF lacked adequately detailed steps, providing mostly policy, purpose and broad overviews. To our surprise, PRAD further reduced this three-page document to a bulleted paragraph when transferring it to the QAP Manual. Their procedure lacked significant instruction to enable standard repetition of the process. For example, the first of four steps provided a purpose, "The single employer sponsor weighting process creates a representation of the universe of single-employer plans." And the last step referred to an established process developed by PRAD, but then failed to describe the details of that process. "Each sponsor included in the sample receives a weight based on an established process that includes certain constraints developed by the professional judgment of the PRAD staff and the function of weights within the PIMS." Additionally, the procedure lacked details on how PRAD would accomplish review or sign-off of this particular procedure. As noted above, even in areas where PRAD believed it had documented procedures, they did not address critical details and significant steps.

Further, the Manual’s Chapter 6 – Procedures for Ad Hoc Inquiries and Reports, did not include specific standards when performing work or review of such work, internal control considerations, record management guidance, personnel involved, explanation of contractors’ involvement with such reports, or how ad hoc inquiries are received, assigned and monitored. This chapter included only a single page with three broad procedures, reflecting that PRAD had not fully explored and documented this area of its process. This is significant, since PRAD documented that in just six months, they can receive more than 100 ad hoc requests, which can come from stakeholders in PBGC, Congress, the policy community, and the public. Furthermore, the chapter did not include any procedures for several statutorily-required reports that contain actuarial calculations performed by PRAD – the Quinquennial report, PPA 5 Year Report, and ERISA Section 4010 Report.

Inadequate documentation of review steps for PRAD staff and contractors. Documented oversight of work performed provides a significant internal control. Review procedures should be a critical component of PRAD’s QAP Manual, fully described with clear details, and should apply to PRAD staff and contractor work. During our walk-throughs, we observed that PRAD staff were, in fact, performing reviews of certain ad hoc work, but PRAD did not require staff to document them. For example, a PRAD staff member demonstrated that he conducted a review 14 CCRD intended to use MTF to document procedures used in creation of the Exposure Reports and to identify exceptions.

AUD-2015-05/PA-13-98 12

of his ad hoc work but erased all evidence of his review. He also stated a checklist to document his review would be helpful. The lack of evidence of the performance of the control makes it impossible to opine on the design and operational effectiveness of the internal controls or conclude on PBGC’s oversight of PRAD’s work.

The Manual’s Chapter 3: Procedures for Reviewing and Validating Inputs Into PIMS stated that "PBGC receives electronic databases from the data contractor each year for use in PIMS modeling.” However, it did not detail a single procedure used by PBGC to review the data received from the contractor. Instead, the Manual stated that the "data contractor has internal quality control and review procedures in the data prep manual." A contractor’s quality control procedures do not substitute for PRAD’s careful review and acceptance of contractor work. Despite the lack of documented procedures for PRAD’s review of contractor work, we obtained evidence that PRAD staff performed reviews, even though sign-off was inconsistent. This demonstrated PRAD recognized the value in conducting oversight activities. We encourage them to memorialize this existing process in the Manual.

Lack of ownership and accountability. Well-defined roles and responsibilities are essential for ownership and accountability. Chapter 6 – Procedures for Ad Hoc Inquiries and Reports stated that PRAD should “document appropriately and review the work performed to fulfill any ad hoc inquiries and requests that require the use of PIMS.” However, there were no details of how this was to be accomplished. In turn, PRAD staff demonstrated creation of their own procedures for such requests. These actions are contrary to developing consistent standards and will make implementation and enforcement of standards difficult.

Further, PRAD’s Manual required certification of the Exposure Report, which was to be developed in compliance with Actuarial Standards of Practice ASOP 41. While having actuarial standards as a minimum requirement for quality is a good practice and is encouraged, PBGC is subject to additional standards beyond those applicable to an actuarial consulting firm. As a federal government entity, all PRAD work products, including ad hoc, must comply with agency policies and procedures, as well as executive orders and federal laws such as the Federal Records Act, GAO's Standards for Internal Control in the Federal Government, and OMB’s Circular A-123 Management’s Responsibility for Internal Control and Information Quality Guidelines. We would expect the Manual to reinforce and mandate sign-offs to represent that actuarial work was performed in accordance with actuarial standards, internal PBGC policies and broader federal requirements.

Vague, inconsistent language, potentially unenforceable standards. Because PRAD officials did not ensure their Manual assigned clear responsibility and specify criteria for requirements, such as certification of the Exposure Report, it will be difficult for them to achieve implementation and enforcement. For example, the Manual stated:

• the Chief Policy Actuary and PRAD Director “may” certify that the Exposure Report was prepared in accordance with generally accepted actuarial principles and practices, and

AUD-2015-05/PA-13-98 13

“may” sign the Statement of Actuarial Opinion; the Manual did not provide criteria for making that determination.

• the PIMS Quality Assurance Contractor, primarily used for review of the Exposure Reports, “may” select the procedures for review at that time; there was no criteria for exercising this discretion, or how these procedures would be documented and approved by a federal employee.

• the procedures and report approvals “should” be documented “properly” in accordance with the Manual and the prescribed quality assurance standards; as previously stated, the Manual did not enumerate what constituted “proper” documentation of supervisory review and approval.

• sign-offs would be performed only for the Exposure Reports, and did not describe how they would be accomplished for other actuarial work products.

It will continue to be extremely difficult to assess PRAD in light of its imprecise guidance and ambiguous standards.

Contributing factors to incompleteness of QAP Manual

A number of significant factors contributed to the incompleteness of PRAD’s QAP Manual. Primarily, the lack of a strategic review predicated less than comprehensive development of the Manual, since a thorough review would have documented the full universe of PRAD’s actuarial work products. Seeking to meet its June 30, 2013, deadline, the Corporation adopted an unrealistic schedule to complete the Manual, lacking a clear understanding for the scope of work required. Details of contributing factors:

Fluid understanding of the purpose of the QAP Manual. Another PBGC department – Contracts & Controls Review Department (CCRD) – and its contractor played an integral role in early development of the Manual; however, the resulting product shows that neither PRAD nor CCRD clearly understood the purpose of the Manual. According to CCRD officials, PRAD communicated the general scope through meetings and conversations, but had no written plan to guide development of the Manual. In order to identify input and output documentation and formally document procedures, CCRD and PRAD worked with guidelines and a generic template. This approach might have been effective, but both departments confirmed that they did not conduct any walk-throughs of the described processes to observe PRAD’s processes being performed. In-person, detailed observations typically provide the way for a third party to obtain an understanding of control procedures and business activities so that significant internal controls can be identified. Given the complexity and nature of PRAD’s activities, walk-throughs were an indispensable element for the development of the Manual. CCRD officials stated that it only served in an advisory role and that PRAD owned the Manual and was responsible for finalizing and issuing it. PRAD staff who worked on the Manual with CCRD stated that the Manual was a collaborative document, developed to capture the process. We believe PRAD may

AUD-2015-05/PA-13-98 14

have misplaced such reliance on CCRD for internal controls advice and consultative guidance when the resulting Manual fell short in terms of substance and control consciousness.

Initially, the then-new PRAD Director stated in August 2013, that the Manual went into too much detail and that it should present more policies rather than strict procedures. This viewpoint is contrary to the purpose of a “procedures manual” and to what PBGC’s former Director expressed to us. Several months later, however, the new PRAD Director shared that while performing the process of putting the 2013 Exposure Report15 together, he learned there were a few procedures performed by the contractors that PRAD had not reviewed. At his direction, PRAD instituted additional checks to make sure this would occur. He stated that when he increased supervision of the contractor’s work, it created some hesitation from the contractor since they were not used to this level of scrutiny from PBGC. The PRAD Director provided us with the updated Manual in February 2014; however, we found that the Manual did not memorialize the new contractor review processes the Director instituted.

Fluctuating management. PBGC officials described PRAD management prior to the MAR as chaotic and characterized PRAD’s documentation of the work as sloppy. When PRAD began responding to the MAR and MAP-21 legislation, it was experiencing intermittent gaps in management and insufficient staffing levels while operating under unrealistic deadlines to complete corrective actions; PRAD did not anticipate what would be required to act effectively. PRAD began achieving some management stability when PBGC reassigned a seasoned senior actuarial leader as Acting Director in April 2013. The Acting Director increased staff levels and reported establishing a quality management focus and a new employee culture, emphasizing the need for checking all work products. By August 2013, PBGC installed a permanent Director and PRAD continued to add staff, while retaining the assistance of the senior actuarial leader. The former PBGC Director placed emphasis on obtaining additional staff and establishing effective leadership, performing what he termed as his own strategic review.

Recommendation 2 (OIG Control Number PRAD-3): Once business processes are reviewed to identify control points, augment the PRAD QAP Manual and associated documentation to detail steps used in the performance of all modeling and actuarial work, so that actuarial work products can be reproduced and undergo effective and well-documented quality review. The QAP Manual should include review and oversight methods for consistent use and enforcement of procedures, appropriate approval, and escalation of issues identified.

PBGC Response:

While past updates to the QAP have generally been technical in nature, we agree that the QAP Manual should be expanded to cover all of PRAD’s actuarial work. This would include, among

15 The Projections Report issued on June 30, 2014.

AUD-2015-05/PA-13-98 15

other things, the Projections Report, 4010 Report, Quinquennial Report, Monthly Interest Factors, Annual Expected Retirement Age Determination, President’ Budget Mode, PBGC Data Books, and ad hoc reports.

In addition, as part of this update, PBGC will identify the standard documentation which applies to all areas, and within each specific area, will identify relevant processes, procedures, and reports. The QAP Manual will also specifically identify the review mechanisms for outgoing information, as well as documentation, enforcement, and escalation procedures. Finally, as part of this update, PRAD will formulate a file plan for each major category listed in the QAP Manual.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation.

Recommendation 3 (OIG Control Number PRAD-4): Provide training to PRAD staff on the use of the Manual and its relationship to any additional procedural documents maintained in the department.

PBGC Response:

PRAD will develop and carry out annual training for staff members on quality assurance procedures. We intend to carry out the first segment of this training by June 30, 2015.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation.

Recommendation 4 (OIG Control Number PRAD-5): Modify the PRAD Manual to require that all actuarial work and modeling products are completed in accordance with actuarial standards, internal PBGC policies, and federal records management and internal control requirements.

PBGC Response:

While the QAP Manual already includes a list of authorities, which includes, among other things, ERISA, MAP-21, PPA 2006, Qualification standards for Actuaries Issuing Statements of Actuarial Opinion in the United States, OMB Circular A-123, and OMB Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies, PRAD will modify the QAP Manual to include an express requirement consistent with OIG Recommendation 4 in our next annual update.

AUD-2015-05/PA-13-98 16

OIG Evaluation:

Management’s proposed action is responsive to the recommendation.

Finding 3: PBGC's records management actions were incomplete.

PRAD officials did not fully review and document business processes for all actuarial work products, and perform a proper records inventory. PRAD officials had not completed development of their records management procedures. Working under an unrealistic deadline to complete necessary actions in the MAR, they discarded useful findings in an important first draft of their first records management review. This resulted in records management activities lacking internal controls to ensure staff and contractors created records with standard processes and procedures. This also impaired the Corporation's ability to achieve proper documentation of its business transactions and verification of the accuracy of PRAD's work.

The Federal Records Act states that proper records management is the backbone of open Government. The National Archives and Records Administration (NARA) states the goal of records management is to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations.16 NARA defines records management as the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved in records creation, maintenance and use, and disposition. Thus, the predicate to effective records management is a well-defined business process that identifies expected inputs/outputs and documentation to be created and retained. Typically, accomplishing this does not happen easily or quickly. PRAD’s time schedule did not integrate this perspective. Without completion of the strategic review mentioned prior, PRAD’s records management actions were negatively impaired.

MAR recommendation 7 stated that PRAD should “conduct a records management review of PRAD to determine what records must be maintained as federal records.” PBGC responded: “PRAD has already prepared a File Plan which will support this effort. We are actively engaged in assembling a multi-departmental team to complete this review. The team will include representatives with records management, legal, and actuarial expertise.” PBGC engaged the Workplace Solutions Department (WSD)17 to perform this review.

The WSD staff responsible for PBGC’s records management program conducted a thorough review according to WSD’s documented procedures, which WSD staff stated had been reviewed 16 NARA Frequently Asked Questions about Records Management in General

17 The Workplace Solutions Department (WSD) was formerly known as the Facilities and Services Department (FASD).

AUD-2015-05/PA-13-98 17

by NARA. Based upon nine findings in the draft report, WSD staff concluded that “PRAD does not comply with the Federal Records Act. As a result there is no assurance that PRAD is appropriately managing the records in their custody and that important records are maintained securely.” WSD’s draft report also stated that “to achieve the benefits of compliant Records Management, PRAD must develop Record Management Procedures that document the department is managing their records.” In an effort to assist PRAD with its records management efforts, WSD staff provided PRAD with this important draft report containing the 9 findings and 25 recommendations.

Significant findings included:

• “PRAD did not capture supporting records associated with significant records (for example, the PBGC Data Book and simulations report).”

• PRAD did not maintain historical information surrounding simulations and may not be able to reproduce all simulations.”

• “PRAD contracts do not include records management clauses indicating that contractor-created records are Federal records.”

• “Supporting documentation [for forecast simulations] such as email requests, telephone logs, and meeting notes are not captured.”

• "PRAD should create a tracking log to ensure that forecast requests are captured. Minimally, the log should capture the substantive request, email or telephone conversation, notes, assumptions, constraints, and feedback on documentation/reports being reviewed. This will ensure that changes made to reports are accurately captured and decisions are documented."

We would expect PBGC to formally acknowledge the issues identified in the 28-page draft records management review. When we requested the final records management report, we were surprised to receive something vastly different from the draft report – a two-page document titled ‘PRAD Records Management Review, Work Group Results,’ dated February 14, 2013. This two-page “Results” document did not present any of the findings and only included two of the twenty-five initial recommendations from the draft report.18 In fact, significant alterations were made to the results, stating, “PRAD does a good job of creating and maintaining significant records such as the PBGC Data Book and forecast simulations, but needs to also capture supporting records with regard to the creation of these records.”

18 The original report recommended, “PRAD should further document their business process to ensure all records have been identified. While the Work Group used business functions to identify records, a more detailed examination of business process could identify additional records to capture. The revised report recommendation stated, “While the Work Group used business functions to identify records, in the spirit of continuous improvement, PRAD should conduct deeper process reviews as needed or periodically examine its business processes to ensure all records are identified.”

AUD-2015-05/PA-13-98 18

Upon determining that the critical, substantive recommendations were removed from the final report provided to PRAD, we met with PRAD officials and the former PBGC Senior Agency Official (SAO), assigned to coordinate with PBGC officials to ensure PBGC’s compliance with records management statutes and regulations. PRAD’s then-Records Coordinator stated he was willing and ready to address all of the recommendations, and he began addressing them. However, the SAO stated that WSD worked with PBGC’s General Counsel and PRAD management to revise the scope of the review. They changed the report because the work performed went beyond the scope of the MAR recommendation and PBGC’s response; the former WSD Director confirmed this. PRAD’s Acting Director stated they needed something they could work with and implement by their March 30, 2013, deadline. We disagree with management’s approach. Limiting the final records management review to the Exposure Report, simply because the genesis of the MAR stemmed from OIG review of the FY2010 Exposure Report, was shortsighted. More importantly, the records management review had already been done. To discard that draft report with its useful findings and recommendations about needed improvements to PRAD’s overall records management was at best, a missed opportunity. At worst, it was a waste of government resources and a disregard of known issues that needed to be addressed. Necessary records management processes were unaddressed or insufficient. In a few cases, PBGC has made progress or completed corrective action since conclusion of fieldwork and we have noted such.

Incomplete records inventory. Both WSD staff and PRAD’s prior Records Coordinator confirmed that the initial records management review did not include a records inventory.19 Further, the File Plan did not reflect the full scope of PRAD’s records.

Rudimentary file plan. Because a comprehensive records inventory was not performed, PRAD produced and implemented a rudimentary File Plan.20 Yet, PRAD reported the File Plan was completed in its response to us a year prior, July 27, 2012. Our review of the File Plan disclosed it contained an incomplete categorization of files and was specific to the FY 2012 Exposure Report only. Consequently, the File Plan underwent repeated updates. Over eight months (January to August 2013), PRAD updated and finalized its File Plan seven different times, and continued updates were planned into 2014, according to PRAD’s Records Management Compliance Roadmap. PRAD officials stated that the File Plan categories were reduced because they needed something simpler that PRAD could manage and implement immediately.

Without a records management taxonomy and protocol, PRAD staff encountered documents they could not readily identify and categorize according to the File Plan. In lieu of having records 19 NARA’s Records Management Handbook states that a file inventory is a descriptive listing of each record series or system, together with an indication of location and other pertinent data. It is not a list of each document or each folder but rather of each series or system. Its main purpose is to provide the information needed to develop the schedule. A records schedule identifies records as either temporary or permanent.

20 A File Plan is a tool for records management. It is a classification scheme describing: different types of files maintained in an office; how they are identified; where they should be stored; how they should be indexed for retrieval; and a reference to the approved records disposition schedule for each file.

AUD-2015-05/PA-13-98 19

management procedures to follow, PRAD staff were to consult individually with the prior PRAD Records Coordinator to place files in proper storage areas. In practice, this case-by-case coordination with the departmental then-Records Coordinator proved unsuccessful. We found that PRAD staff were not even consistently following the basic File Plan and that virtually no enforcement procedures were documented to address failure to do so. Lest this be viewed as an administrative exercise, PRAD experienced a very real consequence of their rudimentary file plan and poor oversight/monitoring; a PRAD staff member could not locate the dotted Quinquennial Report upon our request. The dotted Quinquennial Report is a significant work product for PRAD and if not available, the agency is at risk of not being able to demonstrate that the work was performed with due diligence.

Records management procedures not in QAP manual. As of June 2014, PRAD had not yet completed records management procedures. When completed, implemented and enforced, this will help ensure that employees are trained to consistently review and document PRAD's work, allowing PRAD to comply fully with the Federal Records Act and PBGC policies and procedures. PRAD expected to complete records management procedures by the end of FY 2014. Until PRAD officials properly develop and implement comprehensive procedures, PBGC remains vulnerable to conditions noted in the MAR.

No procedures for documents in shared portal. Contractors share documents with PRAD staff through a storage portal, however, the portal is not mentioned in the records management section of the Manual. PRAD’s then-Records Coordinator stated he did not know what types of records were in the portal. PBGC expects to discontinue use of the portal with implementation of an alternate records management system.

Incoming requests not tracked. The original draft records management report recommended that PRAD create a centralized Tracking Log for work requests received. PRAD created a request tracking log, but had not provided training on using the request log, and had not implemented the log. This condition remains and PRAD has not assigned responsibility for the request log. Absent a mechanism for tracking requests, it will be difficult for PRAD to capture and effectively manage an important part of its business process.

File migration incomplete. PRAD had not completed migration of files to a central storage location on the network shared drive. After our inquiries, PRAD and WSD reported this file migration was complete in April 2014.

Working directory not identified in Manual. Existing PRAD (unstructured, electronic) records were said to be housed in a working directory prior to migration to designated records folders on the network shared drive. However, PRAD officials did not include this important instruction in

AUD-2015-05/PA-13-98 20

the brief records management procedures within its Manual, Chapter 8 – Record Retention Considerations.21

Records management clause not in contracts. The draft records management review recommended that PBGC program and procurement offices should develop standard contract clauses to make sure that the agency’s contactors preserve and maintain records in accordance with federal records management requirements. As a result of our repeated inquiries, PRAD amended both of its contracts to include a records management clause.

Document Naming Conventions Not Established. Naming conventions had not been established and documented for the network shared drive. This is contrary to NARA strategies and best practices for managing content on a shared drive. NARA also states that agencies lacking policies and procedures to control the content stored on a shared drive are likely to have large volumes of unmanaged files spanning many years, and as a result, the tasks of identifying, removing and organizing files will be time consuming and costly.

WSD and PBGC’s Quality Management Department (QMD) offered to assist PRAD in defining its business processes in June of 2013; however, WSD personnel documented the decision of the then-Acting PRAD Director to decline this service. PRAD reported to WSD that they were a small department and unable to undertake such a task. WSD continued to offer guidance and assistance to PRAD by sending NARA materials to assist with this task.

PRAD did not use the more expansive records management review that WSD performed and conducted work under the unrealistic deadline that PBGC established. As a result, PRAD continued to lack internal controls to ensure staff and contractors create records with standard processes and procedures that produce reliable, usable records and content through proper records creation, maintenance, use and disposition. The Corporation could not provide reasonable assurance it identified the federal records that should be maintained in order to comply with the Records Management Act and PBGC policies. Until PRAD officials implement methods which identify all records in its business process, PBGC’s accountability to create and retain documentation that is vital to support agency actions is impaired, and verification of the accuracy of PRAD’s work products will remain difficult.

Recommendation 5 (OIG Control Number PRAD-6): PRAD should complete documentation of all records management procedures. The procedures should include clear control points for record retention procedures, identify all storage areas used in the creation, identification and formalization of records, ensure File Plan integration, and establish supervisory quality checks. All staff and contractors should receive training on finalized procedures, and annually thereafter.

21 This instruction has since been included in PBGC’s draft records management procedures.

AUD-2015-05/PA-13-98 21

PBGC Response:

PRAD will catalog recurring processes and restructure a process-based records management plan. The approach for this plan will take into account the findings of the benchmarking efforts outlined in responses 2 and 6. PRAD will implement a training program for staff on the plan once established.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation.

Recommendation 6 (OIG Control Number PRAD-7): To manage ad hoc requests, PRAD should develop, implement and monitor documented procedures that designate responsibility for a centralized repository, which at minimum documents the incoming request, date received, to whom assigned, requestor, resolution of response, supervisory review, and completion date.

PBGC Response:

PRAD will identify comparable agencies and departments for the purpose of determining best practices for categorizing and responding to the myriad of different types of requests it receives. Based on those findings, PRAD will update its QAP Manual and coordinate with WSD and OIT to develop an appropriate solution consistent with PBGC resources. PBGC expects to complete this process by December 31, 2015.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation. However, given the large volume of requests PRAD receives annually, an interim approach to the fundamental control of logging requests should be established.

Recommendation 7 (OIG Control Number WSD-1):

PBGC should continue to have WSD perform independent Records Management Reviews in accordance with its NARA reviewed procedures manual and require departments to take action on the findings. If the agency determines that findings are not feasible, it should provide WSD with a documented explanation of risk acceptance.

PBGC Response:

WSD will continue to work with the RM Business Council to define agency evaluation goals and perform records management reviews in accordance with those goals. PBGC will regularly

AUD-2015-05/PA-13-98 22

review the evaluation criteria and goals beginning with the issuance of the Record Management Directive in 2015.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation.

Finding 4: PBGC did not reissue the corrected FY 2010 Exposure Report.

Though PRAD officials took action to review, correct errors, and document work for the FY 2010 Exposure Report (Report), PBGC officials elected not to reissue the Report. This occurred because PBGC officials saw no benefit to issuing what they termed as "already outdated projections." In addition, PBGC set deadlines to complete all work by scheduling many complex actions to occur simultaneously: complete work and issue the corrected FY 2010 Report; respond to other necessary actions in the MAR; complete work and issue the FY 2011 Report; and begin current work for the FY 2012 Report. However, their strategy proved insufficient and PBGC officials did not reissue the FY 2010 Report.

ERISA section 4008 requires PBGC annually to submit a report that includes financial statements and an “actuarial evaluation of the expected operations and status of the funds established under section 1305 of this title for the next five years (including a detailed statement of the actuarial assumptions and methods used in making such evaluation).” Section 4008(b) further requires that the report include — (1) a summary of the Pension Insurance Modeling System microsimulation model, including the specific simulation parameters, specific initial values, temporal parameters, and policy parameters used to calculate the financial statements for the corporation.”

MAR necessary action 3 stated: “reissue the corrected FY 2010 Exposure Report in the same manner in which the original report was issued by sending it to parties who received it and posting the updated Report (identified as revised with a new issue date) on PBGC's external website.” When responding to the MAR, PBGC committed to complete their corrective action in its entirety.

PBGC performed a review of the FY 2010 Report and provided us documentation showing that they corrected prior identified errors and inconsistencies, fulfilling corrective action on necessary actions 1 and 2. The CCRD and a contractor assisted PRAD in this effort. PBGC informed Congress that it would reissue the corrected Report by October 31, 2012, and then extended the deadline to March 31, 2013. However, at some point, PBGC decided not to reissue the corrected Report. The Corporation's focus shifted to the development of the FY 2012 Report and answering the additional necessary actions in the MAR. PBGC devoted significant resources to addressing identified issues and correcting the FY 2010 Report, so it could have easily posted it on its website.

AUD-2015-05/PA-13-98 23

On October 15, 2013, the former PBGC Director provided a formal letter to us explaining his decision not to reissue the FY 2010 Exposure Report. In the letter, the prior Director stated:

Since we have now issued a set of projections as of FY2012, we see no benefit on issuing projections whose only difference is that they start from an earlier date. For the same reason, we decided not to issue the FY2011 Exposure Report. Instead we are focusing our efforts on implementing the new quality assurance procedures to the upcoming FY2013 Exposure Report.

In many meetings prior to October 2013, OIG leadership repeatedly told PBGC leaders, including the former Director, they needed to have a discussion with the Board to obtain their concurrence with the agency’s decision not to issue the Report. Board officials informed us in September 2013, that the former Director informed them of his decision not to issue the reports in a conference call. After we issued a draft of this report, PBGC officials provided documentation they stated supported their discussion of the FY 2010 Report with the Board. However, we concluded this documentation related to issuance of the FY 2011 Exposure Report. 22

PRAD officials scheduled responses to the MAR within an unrealistic timeframe - they expected to complete stated corrective actions, including review, correction and reissuance of the FY 2010 Report by June 30, 2012. This was problematic, because PRAD staff stated that preparing an Exposure Report alone takes months, which meant they would need to simultaneously review, correct and reissue the FY 2010 Report, conduct work on the FY 2011 and FY 2012 Reports, and complete other corrective actions from the MAR, while responding to ad hoc work requests. Further, PRAD was understaffed and experiencing intermittent management gaps during this time. Though CCRD and a contractor assisted with the Reports, PRAD's self-imposed deadline proved unrealistic; PRAD did not issue the corrected FY 2010 Report or FY 2011 Report, and began work on the FY 2012 Report.

As a result of PBGC's decision not to issue the Report, PBGC did not fulfill its obligation, as set out by MAP-21. Key stakeholders, such as Congress and the general public, expecting these reports, did not receive the information expected. While the former Director’s letter to OIG stated that “we see no benefit” in reissuing the FY 2010 Report, it is important to remember that these Reports are not completed for PBGC’s benefit, but rather, for their stakeholders. And, in this case, since PBGC made errors in the issued FY 2010 report, a re-issued corrected Report would have demonstrated PBGC’s commitment to providing accurate work, even if late. We recognize there is no statutory consequence for failing to file the Reports; however, we are

22 PBGC officials did not issue the statutorily-required FY 2011 Report. Though they provided documentation supporting conversations held with the Board regarding the decision not to issue the FY 2011 Report, it is not clear that this action waived, or could have waived, PBGC’s statutory requirement. As the MAR was issued in May 2012, the FY 2011 Report was not covered in the MAR and is not addressed here.

AUD-2015-05/PA-13-98 24

concerned that the Corporation’s decision could be used as a precedent in the future for declining to issue this or other statutorily-required reports.

Recommendation 8 (OIG Control Number PBGC-21): PBGC should develop and document a process to communicate formally to the Board instances of delayed compliance or non-compliance with statutorily-required reports. This documentation should include whether there are circumstances under which it can elect not to issue required reports, the agency officials authorized to make such a decision, and Board concurrence.

PBGC Response:

We are committed to open engagement with our Board and Board staff. Because PBGC management already has a formal and informal process for communicating with the Board and Board staff, we do not believe it is necessary in this instance to develop a new, separate communications policy covering the issuance of statutorily required reports.

In carrying out its oversight function, the Board meets on a quarterly basis with management to discuss PBGC matters. In addition, on a regular basis, Board representatives and staff participate in a conference call with PBGC management. Finally, in addition to these regularly scheduled meetings and calls, PBGC management regularly communicates and consults with Board staff on an informal basis.

In sum, PBGC management recognizes that it has a duty to inform the board of material information relating to the Corporation in order for the Board to effectively carry out its oversight function. To that end, PBGC has implemented formal and informal processes for communicating material information to the Board and Board staff. Therefore, in management’s view, developing a new, separate communications policy covering statutory reporting requirements is not warranted under the circumstances.

OIG Evaluation:

OIG does not agree with PBGC’s position. Our observations indicate that the agency often misperceives itself to be more transparent and accountable with its stakeholders than it is in practice. Communication in writing or a mention in a meeting does not necessarily mean that discussions took place, agreements were reached, or decisions were documented. The Board communicated to our office that they were not consulted, nor was there a full discussion of the decision not to re-issue the 2010 Report.

Further, it is not effective to resist institutionalizing accountability mechanisms until a control failure or other significant process breakdown occurs and PBGC is forced to make a change. We urge PBGC to reconsider its position and address explicitly situations involving statutorily-required reports. That PBGC has already set a precedent in not issuing a required report is

AUD-2015-05/PA-13-98 25

concerning, given that it is unclear if either the agency or the Board has the authority to waive the requirement.

This recommendation is unresolved.

Finding 5: Proper access controls were not instituted for PRAD’s actuarial information.

PRAD utilizes a network shared drive to store records, including those that support actuarial work performed. At the time of this review, PRAD officials recognized that records on their shared drive were not adequately protected from unauthorized additions, modifications and deletions. Upon our inquiry, PRAD submitted a request23 to OIT in June 2013, to strengthen the permissions of the records folder on its shared drive, which would prohibit users from overwriting the existing records specific to its records directory. WSD assisted in this effort. However, PRAD deferred this action in lieu of an alternate records management solution, which was not expected to be completed until late FY 2015. Upon our additional inquiry in early 2014, PRAD reported it followed through to implement controls over the records folder of the shared drive. Though they addressed access controls, PRAD did not consider the entire actuarial reporting process from start to finish. Had PRAD done so, they would have taken additional action to ensure that all areas involved in the creation and development of actuarial information received similar assessment and safeguards. That action would have better protected the integrity and availability of actuarial information prior to formal declaration as records and placement in the records folder on the shared drive. PRAD staff reported that IT security was at the “bottom of the list.” As a result, actuarial work was at risk for being lost, or compromised due to unauthorized additions, modifications and deletions.

OMB Circular A-130, Appendix III,24 requires agencies to ensure the availability and integrity of information. One way to protect information is by restricting access to only those who need it, i.e., least privilege. The National Institute for Standards and Technology (NIST) sets federal requirements and states that the principle of least privilege allows users only the access that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

On its own, a shared drive is not a recordkeeping system; it requires intervention. NARA recommends that agencies work with IT to ensure that the integrity of shared drives is 23 Describes a formal ticket that initiates the fulfillment of application access, hardware access, asset requests, and workspace modifications for employees at PBGC.

24 Agencies are required to provide adequate security means commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.

AUD-2015-05/PA-13-98 26

maintained. As previously noted, NARA recognizes that scaling records management over a shared drive in a large organization is difficult. However, a shared drive can be a recordkeeping system through a combination of manual and automated policies and procedures. This can be accomplished by declaring, capturing and organizing content in order to identify and file record copies within the shared drive. NARA Bulletin 2012-02, Guidance on Managing Content on Shared Drives (December 6, 2011) states:

• the use of shared drives poses recordkeeping challenges because agencies may store content that includes federal records and non-records materials.

• through a combination of manual and automated policies and procedures a shared drive can be a recordkeeping system though, on its own without the policies, a shared drive does not provide the functionality of an electronic recordkeeping system.

• strategies and best practices for managing content on a shared drive include establishing and enforcing naming conventions applicable at folder, sub-folder, and file level.

In a June 2013 meeting, PBGC Records Management officials from WSD advised PRAD’s then-Records Coordinator to lock down certain folders on the shared drive; once in place, PRAD employees would have “read only” access to the documents. PRAD's former Records Management Coordinator stated that PRAD was working with the Office of Information Technology (OIT) to develop the necessary controls to lock down the shared network drive and restrict access. PRAD recorded its plans for securing the shared drive in its Records Management Compliance Assistance Roadmap, and reported progress on these activities through Records Management Status Reports throughout our fieldwork.

Although PRAD was working with the OIT to establish permissions on the shared drive, the agency was planning to implement an alternate records management solution, which would replace its shared drive. No further work occurred to implement shared drive permissions until we made additional inquiries in April 2014. PRAD then again began working with OIT and reported permissions were established and successfully tested. However, these permissions only applied to the records directory on the shared drive. This was problematic because PRAD staff and contractors also used a working directory and portal for actuarial information, where records were created and identified prior to being formalized and moved to the designated permanent records folder. Further, PRAD had not established procedures on moving records into the designated directory; one PRAD staff member stated that he was instructed to move files from a temporary directory to the records directory on the shared drive once annually. Actuarial information in PRAD’s working directory was exposed to additions, modifications and deletions, contrary to NIST standards, NARA guidance, and PBGC policies and procedures for access control and "least privilege."25

25 IR-PRC-06-01, PBGC Enterprise Systems and Services Access Control Standard Operating Procedures, describes least privilege as the control of only allowing authorized accesses for users (and processes acting on behalf of

AUD-2015-05/PA-13-98 27

The need for document control and security has been consistently demonstrated through PRAD’s difficulty in locating supporting documentation for actuarial work performed – first pointed out in the MAR with respect to the FY 2010 Exposure Report. This occurred again during fieldwork when PRAD staff could not readily locate the dotted Quinquennial Report. Further, IT staff working with PRAD reported that they were unable to locate a specific records folder that had been set up for PRAD, most likely due to it being deleted or moved. In spite of these incidents, PRAD did not act to implement controls over the shared drive because OIT advised PRAD to await the move to the alternate records management solution, for which migration was slated to complete in late FY 2015. In the meantime however, PRAD could have taken steps to improve document retention and reinforce file storage protocols so that information was properly maintained, reducing the risk that critical work could not be found. Even when fully implemented, PRAD will still need to define privileges and access rights in order for implementation of the tool to be effective. This raises concerns that PRAD will not be well-positioned to take advantage of the functionality in an alternative records management solution.

PBGC is aware of information security control weaknesses in PRAD. OIG’s November 2013 Internal Controls Report informed PBGC that access control weaknesses in PRAD contributed to one of the material weaknesses.26 On September 12, 2013, PBGC Executives were briefed on the completion of the PIMS Enterprise Architecture Study; a first step in the security process for PIMS. Several weaknesses in PIMS were identified for correction, such as an outdated database, lack of auditing capabilities to track users who entered and checked information, and output that required a high number of manual steps. PRAD has begun to address its information security weaknesses and expects FISMA compliance for PIMS with an Authorization to Operate during FY 2015.

Without broader application of the concept of “least privilege”, actuarial information outside of the records folder is at risk for unauthorized additions, modifications, and deletions. Because it had not taken steps restricting access to actuarial information throughout the business process, PRAD could not assure it captured reliable and usable record content that documented actions, decisions and related work activity, according to federal requirements and PBGC policies. The integrity and reliability of PBGC information was at risk.

Additionally, PBGC's plans to move to an alternate records management system will affect PRAD and other PBGC departments who rely on shared network drives and other storage areas,

others) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. SE-STED-01-04, PBGC System Privilege Standard, defines the requirements for least privilege.

26 Weaknesses were also noted in PRAD’s business process controls. PRAD uses spreadsheets in the determination of the interest rate factor used for calculating PBGC’s liabilities for future benefits that do not have adequate controls over access to data, information security and changes. A contributing factor set the stage for this deficiency; PRAD's lack of adequate documentation of its process and procedures to ensure that spreadsheet calculations and other activities could be repeated by unassociated officials.

AUD-2015-05/PA-13-98 28

since PBGC intends for the solution to replace these. PBGC must exercise care in this transition to set up proper permissions and allow PRAD enough time for careful planning of access privileges and records management considerations. In preparation for this transition, PRAD should begin to establish content types and standard naming conventions now rather than waiting until the new system is implemented.

Recommendation 9 (OIG Control Number PRAD-8): PRAD should work with WSD and OIT to assess and implement access controls for actuarial information throughout the entire actuarial reporting process, and incorporate where actuarial records are created, developed and identified, in accordance with federal regulations and PBGC policies and procedures.

PBGC Response:

As part of the benchmarking process described in PBGC’s responses to OIG Recommendations 1 and 6 above, PRAD will survey like organizations to determine best practices. Once this review is complete, PRAD will work with WSD and OIT to make any necessary changes to PRAD’s systems and policies.

OIG Evaluation:

Management’s proposed action is responsive to the recommendation. PRAD should work with IT professionals to develop interim access controls that comply with OMB and NIST requirements while it assesses best practices. Therefore, this recommendation is unresolved.

AUD-2015-05/PA-13-98 29

Appendix A. Scope and Methodology

According to our audit objectives, we performed our audit work within the Policy Research and Analysis Department at the Pension Benefit Guaranty Corporation in Washington, D.C., from June 12, 2013 through June 30, 2014. We obtained and reviewed records associated to PRAD’s response to the MAR, processes surrounding actuarial reports, and associated records management activities. The scope of records reviewed included those documents which indicate PRAD’s business processes surrounding actuarial reports, and significant actuarial activities conducted in response to specific requests and statutory requirements, such as the Exposure Reports from FY 2010 forward. This encompasses documentation associated to contractor oversight, key decisions and business activities related to PRAD’s actuarial reports. This also encompasses records PBGC provided after we issued the draft of this report; specifically, PBGC officials provided emails the believed supported discussions of the FY 2010 Exposure Report with the Board. Records associated to PRAD’s response to the MAR include, but are not limited to, Quality Assurance Procedures for Formal PRAD Reports Utilizing the Pension Insurance Modeling System (PIMS) and included File Plan, Revised FY2010 and FY2012 Exposure Report Review Binders, and PRAD Records Management Review Work Group Results.

We accomplished the audit objectives by performing the following procedures:

• Identified and reviewed applicable PBGC criteria, policies, procedures and practices and current federal criteria, laws, regulations, and guidance as it related to our audit objectives. Reviewed criteria include the Federal Records Act of 1950 as amended, Presidential Memorandum- Managing Government Records, NARA’s Record Management Language for Contracts, PBGC Records Management Procedures Manual, PBGC Interim Guidance, Standards for Internal Controls in Government and ERISA section 4008, among others.

• Interviewed the former Director of PBGC, Director of PRAD, Acting Director of PRAD from April through August 2013, former Chief Policy Officer, Chief Management Officer, CCRD officials, WSD Director and staff,27 COR for PRAD contracts, PRAD Actuaries, PRAD Economists, PRAD former Records Coordinator, and PBGC’s Records Officer.

• Conducted walk-throughs of activities performed by appropriate PBGC officials and staff, as well as those with roles in creating actuarial reports or supporting documentation, in order to assess the appropriateness and relevance of PRAD’s procedures, methodologies and internal controls.

• Obtained and reviewed pertinent PBGC records, including but not limited to emails, associated to the status and completeness of PRAD’s stated corrective actions according to PBGC’s schedule established in response to the MAR and direction from Congress, specifically The Moving Ahead for Progress in the 21st Century Act, (MAP-21).

27 The Workplace Solutions Department (WSD), formerly known as the Facilities and Services Department (FASD)

30 AUD-2015-05/PA-13-98

• Obtained and reviewed pertinent PBGC records, including but not limited to emails, related to PRAD’s business processes surrounding actuarial reports, and associated records management activities.

• Assessed the risks and the resulting impact of PBGC’s status of corrective actions on PBGC and its stakeholders, as related to quality assurance, contractor oversight, and adequate records management.

Our audit work did not include an evaluation of PIMS specifically, although work products resulting from PIMS were reviewed and we evaluated aspects of how PIMS is used as related to PRAD’s business process for actuarial reporting. PIMS itself was reviewed during the November 2013 Report on Internal Controls Related to the Pension Benefit Guaranty Corporation’s Fiscal Year 2013 and 2012 Financial Statements Audit (Internal Controls Report).

The audit was conducted in accordance with Generally Accepted Government Auditing Standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our conclusions based on our audit objectives. Therefore, we conducted our work in a manner whereby we believe sufficient evidence was obtained in order to provide a reasonable basis for our conclusions based on our audit objectives.

AUD-2015-05/PA-13-98 31

Appendix B. Status of MAR Necessary Actions

MAR Necessary Action PBGC's First Report on its

Response to the MAR

PBGC's Reported

Target Dates

PBGC's Final Report to OIG

on its Response to

the MAR

OIG Comments & Opinion on Completion

(Yes or No)

1. Conduct a thorough review of the 2010 Exposure Report to identify any other error and inconsistencies.

PRAD has conducted a thorough review of the 2010 Exposure Report to identify other errors or inconsistencies.

Completed Completed as of June 27, 2012

Yes - Binders demonstrated a review of the FY2010 Exposure Report.

2. Correct all identified errors and inconsistencies and prepare a revised FY 2010 Annual Exposure Report. This report should be identified as revised and reflect the date of reissuance.

We agree and will do so. October 31, 2012

March 8, 2013 (Date of last Actuarial Certification)

Yes - Binders and a corrected FY2010 Exposure Report demonstrated correction of errors and inconsistencies.

3. Reissue the corrected FY 2010 Exposure Report in the same manner in which the original report was issued by sending it to parties who received it and posting the updated report (identified as revised with a

We agree. PBGC will post the updated Report on the PBGC public website, with specific notice that it is a revised Report, superseding a previous version. PBGC will include a new issue date on the website and in the Report. PBGC will transmit

October 31, 2012

October 15, 2013. (Date OIG received letter from former PBGC Director explaining the decision to not

No - June 19, 2013, PBGC management informed OIG that due to the passage of time, PBGC determined that reissuing the corrected FY2010 Exposure Report may be confusing to

32 AUD-2015-05/PA-13-98

MAR Necessary Action PBGC's First Report on its

Response to the MAR

PBGC's Reported

Target Dates

PBGC's Final Report to OIG

on its Response to

the MAR

OIG Comments & Opinion on Completion

(Yes or No)

new issue date ) on PBGC’s external website

the new Report to all parties who received the original Report.

issue the corrected report.)

readers, & as a result decided to not reissue the FY2010 Exposure Report.

4. Develop, document and enforce policies and procedures to ensure the adequate and efficient review of contractor work performed with PIMS, including enumerating duties and assigning responsibilities for the accuracy and integrity of critical reports.

PRAD will develop, document, and enforce policies and procedures to ensure the adequate and efficient review of contractor work performed with PIMS, including: enumeration of duties and the associated responsible parties (listed by position and by the named person currently responsible) for accuracy, and where applicable, separately for integrity of critical reports.

June 30, 2013

June 30, 2013 No - PBGC answered this with its Quality Assurance Procedures for Formal PRAD Reports Utilizing the Pension insurance Modeling System (PIMS) Manual. The Manual will be of limited use. It does not cover PRAD's full realm of actuarial and modeling work, and still lacks the details of adequate review of contractor work.

33 AUD-2015-05/PA-13-98

MAR Necessary Action PBGC's First Report on its

Response to the MAR

PBGC's Reported

Target Dates

PBGC's Final Report to OIG

on its Response to

the MAR

OIG Comments & Opinion on Completion

(Yes or No)

5. Develop, document and enforce policies and procedures for a quality review of actuarial work reported by PBGC, whether in an issued report or in response to ad hoc inquiries. This process should include clearly defined duties and assigned responsibilities, as well as methods to validate and clearly identify all supporting documentation. Documentation should be retained of any issues noted as well as of the actions taken in response to the issues.

PRAD has instituted several quality control procedures, and will formalize those and other quality control procedures. PRAD will develop, document, and enumerate full enforcement procedures for a quality review of actuarial work reported by PBGC. Assignments for duties; and responsibilities will be listed by position, and by the name of the person currently in that position or responsible for each policy or procedure.

The policies and procedures will detail the specific review mechanisms that will ensure appropriate review of outgoing reports as well as documentation requirements.

June 30, 2013

June 30, 2013 No - PBGC answered this with its Quality Assurance Procedures for Formal PRAD Reports Utilizing the Pension insurance Modeling System (PIMS) Manual. The Manual will be of limited use. It does not cover PRAD's full realm of actuarial and modeling work, and still lacks the details of adequate review of contractor work. Identification of supporting documentation was limited to the Exposure Reports. MTFs were established to note issues.

6. Develop, document and enforce policies and procedures to retain supporting documentation of work done by PRAD

The PBGC Director has already directed that supporting work papers for all reports must be retained. PRAD currently monitors PIMS

March 31, 2013

June 30, 2013 No - PBGC answered this with its Quality Assurance Procedures for Formal PRAD Reports Utilizing the

34 AUD-2015-05/PA-13-98

MAR Necessary Action PBGC's First Report on its

Response to the MAR

PBGC's Reported

Target Dates

PBGC's Final Report to OIG

on its Response to

the MAR

OIG Comments & Opinion on Completion

(Yes or No)

actuaries and of all accepted actuarial contractor deliverables.

contractor's standard review and testing procedures that they complete before sending code changes to PRAD. These quality control reviews have been documented through email messages among PRAD staff and the contractors. PRAD will implement a more formal and comprehensive documentation process, including review, signoffs, and proper storage and retrieval of a Quality Assurance Record that reflects best practices in actuarial consulting firms.

PRAD will also develop and document additional policies and procedures to retain supporting documentation of work done by PRAD actuaries and of all accepted actuarial contractor deliverables. These additional policies and procedures will include enforcement mechanisms to assure that policies

Pension insurance Modeling System (PIMS) Manual. Identification of supporting documentation was limited to the Exposure Reports. Weak language used in the Manual will make enforcement difficult.

35 AUD-2015-05/PA-13-98

MAR Necessary Action PBGC's First Report on its

Response to the MAR

PBGC's Reported

Target Dates

PBGC's Final Report to OIG

on its Response to

the MAR

OIG Comments & Opinion on Completion

(Yes or No)

and procedures are followed. 7. Conduct a records

management review of PRAD to determine what records must be maintained as federal records.

PRAD has already prepared a File Plan which will support this effort. We are actively engaged in assembling a multi-departmental team to complete this review. The team will include representatives with records management, legal, and actuarial expertise.

March 31, 2013

February 14, 2013 (Date on transmittal letter, the report does not have a date.)

No - PBGC answered this with its Records Management Review Report. PRAD's records inventory and definition of business process was incomplete.

8. Consistent with information quality guidelines for federal agencies and PBGC policy, develop and document a strategic review of the processes involved in creating actuarial reports from start to finish, so that critical control points, including input and output, can be established in order to increase quality control.

PRAD will perform a review of the processes involved in creating actuarial reports, and document those processes. The documentation will include procedures to be used in the creation of actuarial reports from start to finish, including the creation and storage of records showing: sources of inputs and the review of those sources and their use, outputs from computer simulations and their review, work products performing analyses for the reports, tracking of results published in reports showing

June 30, 2013

N/A No - In a meeting with the Acting Chief of Policy on August 9, 2013, the Chief Policy Officer informed OIG that PBGC had completed the Strategic Review and did not have further planned work for this. She followed up with a written response on August 8, 2013. The review binders and QAP Manual were said to support this effort. However, OIG found these products to be

36 AUD-2015-05/PA-13-98

MAR Necessary Action PBGC's First Report on its

Response to the MAR

PBGC's Reported

Target Dates

PBGC's Final Report to OIG

on its Response to

the MAR

OIG Comments & Opinion on Completion

(Yes or No)

the inputs and process leading to the result.

The documentation of the above will include standard procedures to be followed for periodic (annual, quarterly, etc.) and for ad hoc reports.

incomplete, and a work in progress.

AUD-2015-05/PA-13-98 37

Appendix C. Response from the Pension Benefit Guaranty Corporation

38 AUD-2015-05/PA-13-98

39 AUD-2015-05/PA-13-98

40 AUD-2015-05/PA-13-98

41 AUD-2015-05/PA-13-98

If you want to report or discuss confidentially any instance of misconduct, fraud, waste, abuse, or mismanagement, please contact the Office of

Inspector General.

Telephone: The Inspector General’s HOTLINE

1-800-303-9737

The deaf or hard of hearing, dial FRS (800) 877-8339 and give the Hotline number to the relay operator.

Web: http://oig.pbgc.gov/investigation/details.html

Or Write: Pension Benefit Guaranty Corporation

Office of Inspector General PO Box 34177

Washington, DC 20043-4177